Snort mailing list archives
Re: Wierd Packets, ICMP Dest Unreachable
From: Matt Scarborough <vexversa () usa net>
Date: 15 Jun 2001 01:27:18 EDT
On Thu, 14 Jun 2001 16:02:52 -0600, Phil Wood wrote:
On Thu, Jun 14, 2001 at 03:09:33PM -0400, Matt Scarborough wrote:Phil, It really is not a problem per se. I think it would only be a problem ifThe problem to me is, that snort code in log.c does not know where the packet ends and decodes trash and prints the results as real stuff.
I agree. This becomes a problem for those post-processing Snort output. Looking at DoS backscatter comes to mind. Here are two packets. Snort captured them based on the following two rules. alert tcp $HOME_NET 1159 -> 207.71.92.193 80 (msg:"Packet the Router Rejected"; flags: R; logto: "RESET.LOG";) log icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Dest Unreach (Code 13 Administratively Prohibited)"; itype: 3; icode: 13; logto: "IB_UNREACHABLE.LOG";) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Packet the Router Rejected [**] 06/02-19:32:27.842493 63.11.38.118:1159 -> 207.71.92.193:80 TCP TTL:64 TOS:0x0 ID:24205 IpLen:20 DgmLen:40 *****R** Seq: 0xA65FB7 Ack: 0xC9FED72 Win: 0x0 TcpLen: 20 0x0000: 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 SRC..DEST....E. 0x0010: 00 28 5E 8D 00 00 40 06 8A B9 3F 0B 26 76 CF 47 .(^...@...?.&v.G 0x0020: 5C C1 04 87 00 50 00 A6 5F B7 0C 9F ED 72 50 04 \....P.._....rP. 0x0030: 00 00 BF 10 00 00 ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP Dest Unreach (Code 13 Administratively Prohibited) [**] 06/02-19:32:28.676456 129.250.46.49 -> 63.11.38.118 ICMP TTL:239 TOS:0x0 ID:7979 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 63.11.38.118:1159 -> 207.71.92.193:80 TCP TTL:44 TOS:0x0 ID:24205 IpLen:20 DgmLen:40 **U*P*S* Seq: 0xA65FB7 Ack: 0x5B335F27 Win: 0x5441 TcpLen: 20 UrgPtr: 0x4F5F ** END OF DUMP 0x0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E. 0x0010: 00 38 1F 2B 00 00 EF 01 96 ED 81 FA 2E 31 3F 0B .8.+.........1?. 0x0020: 26 76 03 0D 97 BE 00 00 00 00 45 00 00 28 5E 8D &v........E..(^. 0x0030: 00 00 2C 06 9E B9 3F 0B 26 76 CF 47 5C C1 04 87 ..,...?.&v.G\... 0x0040: 00 50 00 A6 5F B7 .P.._. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ICMP Type 3 should return the 20 byte IP header + 64 bits of data. Lets look at all the bytes from the outbound packet that *could* have been returned. Top row in the pair is what was sent. Bottom row is the bytes that actually were returned. Beneath that is a description of the byte's representation. 4500 0028 5e8d 0000 4006 8ab9 3f0b 2676 4500 0028 5e8d 0000 2c06 9eb9 3f0b 2676 verhl len id frg ttl proto cksm src adr cf47 5cc1 0487 0050 00a6 5fb7 0c9f ed72 50 04 0000 bf10 cf47 5cc1 0487 0050 00a6 5fb7 |- ICMP pkt doesn't have this -| dst adr srcprt dstprt seq.num ack.num hl flags win cksm The bits needed to correctly identify the RST flag didn't return from the router. Snort filled the alert fields with superfluous data (**U*P*S*.) Matt Scarborough 2001-06-15 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Wierd Packets, ICMP Dest Unreachable Phil Wood (Jun 14)
- <Possible follow-ups>
- Re: Wierd Packets, ICMP Dest Unreachable Matt Scarborough (Jun 14)